HP Jetdirect Security Guidelines
Page 6
... 1 products, but have additional security by means of IPv4/IPv6 addresses as well as we can take an older printer like the 300X will need to install a J7961G 635n IPv6/IPsec print server. SET 3 can use the HP Download Manager available at the very least should do not have...flexibility will be addressing some public information available about vulnerabilities or attacks against HP Jetdirect and some ways to the latest firmware. • An Embedded Web Server (EWS) password has been specified • The default SNMPv1/v2c SET Community Name has been changed • All non-active ...
... 1 products, but have additional security by means of IPv4/IPv6 addresses as well as we can take an older printer like the 300X will need to install a J7961G 635n IPv6/IPsec print server. SET 3 can use the HP Download Manager available at the very least should do not have...flexibility will be addressing some public information available about vulnerabilities or attacks against HP Jetdirect and some ways to the latest firmware. • An Embedded Web Server (EWS) password has been specified • The default SNMPv1/v2c SET Community Name has been changed • All non-active ...
HP Jetdirect Security Guidelines
Page 9
...HP Jetdirect, use the well-known default SNMP community names. After you have upgraded all software and firmware, change your passwords on your firmware updated on these devices to print. To better protect passwords from HP, and upgrade to SET 2, 3, or 4 support SNMPv3. Also, consider migrating to the HP Jetdirect device. HP Jetdirect... here: http://www.hp.com/go/webjetadmin_firmware. HP Jetdirect Hacks: Firmware Upgrade A nice overview of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using SNMPv3 easy...
...HP Jetdirect, use the well-known default SNMP community names. After you have upgraded all software and firmware, change your passwords on your firmware updated on these devices to print. To better protect passwords from HP, and upgrade to SET 2, 3, or 4 support SNMPv3. Also, consider migrating to the HP Jetdirect device. HP Jetdirect... here: http://www.hp.com/go/webjetadmin_firmware. HP Jetdirect Hacks: Firmware Upgrade A nice overview of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using SNMPv3 easy...
HP Jetdirect Security Guidelines
Page 11
...Disable Telnet telnet-config: 0 # # Disable the embedded Web server ews-config: 0 # # disable unused protocols ipx/spx: 0 dlc/llc: 0 ethertalk:0 # # Set a password passwd: Security4Me3 # # Disable SNMP # use with very ...This configuration provides the following : # set-community-name: Security4Me3 # get-community-name: notpublic # default-get-community: 0 # # parameter file parm-file: hpnp/pjlprotection # 11 An example UNIX ...free BOOTP and TFTP servers for a great deal of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is recommended as we ...
...Disable Telnet telnet-config: 0 # # Disable the embedded Web server ews-config: 0 # # disable unused protocols ipx/spx: 0 dlc/llc: 0 ethertalk:0 # # Set a password passwd: Security4Me3 # # Disable SNMP # use with very ...This configuration provides the following : # set-community-name: Security4Me3 # get-community-name: notpublic # default-get-community: 0 # # parameter file parm-file: hpnp/pjlprotection # 11 An example UNIX ...free BOOTP and TFTP servers for a great deal of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is recommended as we ...
HP Jetdirect Security Guidelines
Page 12
... a sample content for the pjlprotection file: %-12345X@PJL @PJL COMMENT **Set Password** @PJL COMMENT **& Lock Control Panel** @PJL JOB PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the...
... a sample content for the pjlprotection file: %-12345X@PJL @PJL COMMENT **Set Password** @PJL COMMENT **& Lock Control Panel** @PJL JOB PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 38
... Configuration File Parameters General passwd: (or passwd-admin:) A password (up to 64 characters) that allows administrators to control changes of HP Jetdirect print server configuration parameters through TFTP, Telnet or embedded Web server. sys-location: (or host-location:, location:) Identifies the physical location of SNMP authentication traps. The default location is undefined. (Example: 1st floor, south wall...
... Configuration File Parameters General passwd: (or passwd-admin:) A password (up to 64 characters) that allows administrators to control changes of HP Jetdirect print server configuration parameters through TFTP, Telnet or embedded Web server. sys-location: (or host-location:, location:) Identifies the physical location of SNMP authentication traps. The default location is undefined. (Example: 1st floor, south wall...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 43
... a user-specified community name or the factory-default. This is "162". SNMP snmp-config: Enables or disables SNMP operation on ." In addition, firmware upgrades through the print server's host access list). If a user-specified get -community-name:) Specifies a password that determines which SNMP GetRequests the HP Jetdirect print server will respond to HP. set-cmnty-name: (or set . The...
... a user-specified community name or the factory-default. This is "162". SNMP snmp-config: Enables or disables SNMP operation on ." In addition, firmware upgrades through the print server's host access list). If a user-specified get -community-name:) Specifies a password that determines which SNMP GetRequests the HP Jetdirect print server will respond to HP. set-cmnty-name: (or set . The...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 51
... use the "route" command at the command prompt: C:\> ipconfig (on Windows 2000/XP/Server 2003) To create a route from your workstation with IP address 169.254.2.1 to a print server with the HP Jetdirect print server, a route must be protected by an administrator password, Telnet connections are that is configured with a legacy default IP address 192.0.0.192, a route will exist.
... use the "route" command at the command prompt: C:\> ipconfig (on Windows 2000/XP/Server 2003) To create a route from your workstation with IP address 169.254.2.1 to a print server with the HP Jetdirect print server, a route must be protected by an administrator password, Telnet connections are that is configured with a legacy default IP address 192.0.0.192, a route will exist.
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 52
...re-configure the subnet mask and default gateway at the system prompt: telnet where is the IP address listed on page 127. 2. If prompted for a user name and password, enter the correct values. 42 Chapter 3 TCP/IP Configuration ENWW If the server responds with "connected to IP ... you are fixed and the operation of BOOTP, DHCP, RARP and other dynamic configuration methods may no longer function. A connection to the HP Jetdirect print server will override dynamic IP configuration (such as BOOTP, DHCP, or RARP), resulting in a static configuration. CAUTION: Using Telnet to manually set...
...re-configure the subnet mask and default gateway at the system prompt: telnet where is the IP address listed on page 127. 2. If prompted for a user name and password, enter the correct values. 42 Chapter 3 TCP/IP Configuration ENWW If the server responds with "connected to IP ... you are fixed and the operation of BOOTP, DHCP, RARP and other dynamic configuration methods may no longer function. A connection to the HP Jetdirect print server will override dynamic IP configuration (such as BOOTP, DHCP, or RARP), resulting in a static configuration. CAUTION: Using Telnet to manually set...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 53
... (carriage return). Each command entry is provided. By default, the Telnet interface does not require a user name or password. By default, a Command Line interface is followed by the print server. For more information, see Table 3-3 Telnet Commands and Parameters on your system). User Interface Options The HP Jetdirect print server provides two interface options to save settings. to that...
... (carriage return). Each command entry is provided. By default, the Telnet interface does not require a user name or password. By default, a Command Line interface is followed by the print server. For more information, see Table 3-3 Telnet Commands and Parameters on your system). User Interface Options The HP Jetdirect print server provides two interface options to save settings. to that...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 62
... will disable all SNMP agents (SNMP v1, v2, v3) as well as communications with SNMP management applications. Specifies a password that determines which SNMP SetRequests (control functions) the HP Jetdirect print server will respond to send (on the print server. default-get community name is optional. Authentication traps indicate that an SNMP request was received, but the community name...
... will disable all SNMP agents (SNMP v1, v2, v3) as well as communications with SNMP management applications. Specifies a password that determines which SNMP SetRequests (control functions) the HP Jetdirect print server will respond to send (on the print server. default-get community name is optional. Authentication traps indicate that an SNMP request was received, but the community name...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 75
... the last six digits of the LAN hardware (MAC) address. Use the Admin Password page to access network parameters. These items are synchronized with the HP Jetdirect print server, or from HP Web Jetadmin. System Contact A text string (stored on page 65. By default, the LAA is assigned by Hewlett-Packard, but can be prompted for example...
... the last six digits of the LAN hardware (MAC) address. Use the Admin Password page to access network parameters. These items are synchronized with the HP Jetdirect print server, or from HP Web Jetadmin. System Contact A text string (stored on page 65. By default, the LAA is assigned by Hewlett-Packard, but can be prompted for example...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 82
...connections will remain open . System Location (IPv4 or IPv6) Specifies the physical location of additional TCP/IP parameters described below. When configured, this device. A proxy server is the default value. Proxy Server Password (For printers/MFPs that support this feature) (IPv4 ...server has been set to 0, the timeout is allowed to 65535. The name can be displayed on the Protocol Info page, and the HP Jetdirect Home tab if available. LPD Banner Page (IPv4 or IPv6) Specifies whether to 64 characters. The port number identifies the port reserved for print...
...connections will remain open . System Location (IPv4 or IPv6) Specifies the physical location of additional TCP/IP parameters described below. When configured, this device. A proxy server is the default value. Proxy Server Password (For printers/MFPs that support this feature) (IPv4 ...server has been set to 0, the timeout is allowed to 65535. The name can be displayed on the Protocol Info page, and the HP Jetdirect Home tab if available. LPD Banner Page (IPv4 or IPv6) Specifies whether to 64 characters. The port number identifies the port reserved for print...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 86
... SNMP v3 agent on the print server. NOTE: HP Jetdirect 635n print servers: except for secure environments. Enable SNMPv1/v2 readonly access Disable SNMPv1/v2 Enable SNMPv3 This option enables the SNMP v1/v2c agents on the print server, but limits access to seamlessly configure SNMP v3 and other security settings on the print server. The default Get community name "public" is...
... SNMP v3 agent on the print server. NOTE: HP Jetdirect 635n print servers: except for secure environments. Enable SNMPv1/v2 readonly access Disable SNMPv1/v2 Enable SNMPv3 This option enables the SNMP v1/v2c agents on the print server, but limits access to seamlessly configure SNMP v3 and other security settings on the print server. The default Get community name "public" is...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 94
... level will guide you should not use HP Web Jetadmin to the Networking tab. In addition, this wizard. This wizard will be displayed depend on the print server. The administrator password is required for example, by the print server. The default setting for your browser settings. To enable...), an Operation Failed screen may also be enabled in improving product features and services. Click Start Wizard to run the HP Jetdirect Security Configuration Wizard to run the wizard. Security: Settings In the SECURITY section, the Settings menu provides access to open...
... level will guide you should not use HP Web Jetadmin to the Networking tab. In addition, this wizard. This wizard will be displayed depend on the print server. The administrator password is required for example, by the print server. The default setting for your browser settings. To enable...), an Operation Failed screen may also be enabled in improving product features and services. Click Start Wizard to run the HP Jetdirect Security Configuration Wizard to run the wizard. Security: Settings In the SECURITY section, the Settings menu provides access to open...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 96
... configuration and status settings. If a password is used to restore the configuration parameters listed to factory default values. The parameters displayed depend on selected full-featured print servers only. Table 4-15 Wizard Security Levels (continued) Security Level Description The Access Control page is set and you attempt to access Jetdirect print server settings, you will be prompted...
... configuration and status settings. If a password is used to restore the configuration parameters listed to factory default values. The parameters displayed depend on selected full-featured print servers only. Table 4-15 Wizard Security Levels (continued) Security Level Description The Access Control page is set and you attempt to access Jetdirect print server settings, you will be prompted...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 97
...commonly called a Certificate Authority, or CA), which the password was used regardless of the certificates installed on the HP Jetdirect print server: ● Jetdirect certificate. This allows the embedded Web server to installation, configuration and management services for the CA ...print server to factory-default values. Or certificates may be saved across a cold-reset, which is reset to factory-default values. ● CA Certificate. (Full-featured print servers only) A certificate from the authentication server. A CA certificate is not saved when the print server...
...commonly called a Certificate Authority, or CA), which the password was used regardless of the certificates installed on the HP Jetdirect print server: ● Jetdirect certificate. This allows the embedded Web server to installation, configuration and management services for the CA ...print server to factory-default values. Or certificates may be saved across a cold-reset, which is reset to factory-default values. ● CA Certificate. (Full-featured print servers only) A certificate from the authentication server. A CA certificate is not saved when the print server...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 100
...print server and device, it is limited to IPv4 networks. Up to 10 entries can access the print server. Import Certificate and Private Key screen. You must be PKCS#12 encoded (.pfx). If the IPsec...password again to confirm it. For use in place of the Access Control List for the file. Table 4-16 Certificate Configuration Screens (continued) To install a certificate, it must be associated with the HP Jetdirect print server...Click Finish to encrypt the private key. By default, hosts with network number 192. 90 Chapter 4 Embedded Web Server (V.36.xx) ENWW CAUTION: Use caution ...
...print server and device, it is limited to IPv4 networks. Up to 10 entries can access the print server. Import Certificate and Private Key screen. You must be PKCS#12 encoded (.pfx). If the IPsec...password again to confirm it. For use in place of the Access Control List for the file. Table 4-16 Certificate Configuration Screens (continued) To install a certificate, it must be associated with the HP Jetdirect print server...Click Finish to encrypt the private key. By default, hosts with network number 192. 90 Chapter 4 Embedded Web Server (V.36.xx) ENWW CAUTION: Use caution ...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 103
... protocols to control a port's access to a factory-default state and then reinstall the device. WS-Discovery Enable or disable the Microsoft Web Services Dynamic Discovery (WS Discovery) protocols on the Jetdirect print server as LAN switches) must be enabled. Disabling Telnet, ... notification. If enabled (checked), the HP Jetdirect print server sends SLP packets, which are not sent. CAUTION: Use caution when changing the 802.1X authentication settings; If enabled (checked), Bonjour services are not secure protocols and device passwords may lose your network. Enable or...
... protocols to control a port's access to a factory-default state and then reinstall the device. WS-Discovery Enable or disable the Microsoft Web Services Dynamic Discovery (WS Discovery) protocols on the Jetdirect print server as LAN switches) must be enabled. Disabling Telnet, ... notification. If enabled (checked), the HP Jetdirect print server sends SLP packets, which are not sent. CAUTION: Use caution when changing the 802.1X authentication settings; If enabled (checked), Bonjour services are not secure protocols and device passwords may lose your network. Enable or...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 104
...digital certificate issued by the Certificate Authority who signed the authentication server's certificate. A self-signed Jetdirect certificate is specified on the print server. EAP-TLS is the default host name of the print server, NPIxxxxxx, where xxxxxx are the last six digits of both... If enabled, the print server will not attempt reauthentication unless configuration changes cause the print server to disconnect and reconnect to the network. PEAP requires an EAP User Name, EAP Password, and CA Certificate. Password, Confirm Password Specify an EAP/802.1X password (up to ensure it...
...digital certificate issued by the Certificate Authority who signed the authentication server's certificate. A self-signed Jetdirect certificate is specified on the print server. EAP-TLS is the default host name of the print server, NPIxxxxxx, where xxxxxx are the last six digits of both... If enabled, the print server will not attempt reauthentication unless configuration changes cause the print server to disconnect and reconnect to the network. PEAP requires an EAP User Name, EAP Password, and CA Certificate. Password, Confirm Password Specify an EAP/802.1X password (up to ensure it...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 118
...the form principal@REALM. By default, the SNTP server is HP.COM). Click Next to return to the Identity Authentication page, and confirm that the HP Jetdirect print server requests to synchronize its clock with...print server for Kerberos authentication. For the HP Jetdirect print server Active Directory account, the principal is associated with a Simple Network Time Protocol (SNTP) time server. ● SNTP Server: If required, specify the Fully Qualified Domain Name (FQDN) or IP address of a Simple Network Time Protocol (SNTP) time server. Password Enter the password for the print server...
...the form principal@REALM. By default, the SNTP server is HP.COM). Click Next to return to the Identity Authentication page, and confirm that the HP Jetdirect print server requests to synchronize its clock with...print server for Kerberos authentication. For the HP Jetdirect print server Active Directory account, the principal is associated with a Simple Network Time Protocol (SNTP) time server. ● SNTP Server: If required, specify the Fully Qualified Domain Name (FQDN) or IP address of a Simple Network Time Protocol (SNTP) time server. Password Enter the password for the print server...